Blogger: Eric Maiwald
On February 4th I had the privilege of moderating a panel on cloud security at the Open Group’s First Security Practitioners Conference. On the panel were representatives from Amazon, Salesforce, IBM, and Qualys. The panel was the final session of the day so I had a chance to listen to my panelists make their presentations.
I was encouraged by the presentations as the vendors were very open about their security controls. A few years ago when I first looked at the software as a service market and talked to some of these vendors, they were not nearly as forthcoming. In fact, some of the vendors I spoke with just refused to tell me anything about their internal controls. The openness was refreshing and, as one of the panelists noted, “Security has become a differentiator in the market.”
I asked the panelists about the verification they would provide to customers. Again, the vendors were very open about their ability to provide SAS 70 results and to support customer audits of their facilities and practices. They even spoke about how the audits performed by some large financial firms caused increases in security that benefited all customers. The reason for this was that there was no way for the vendors to offer different levels of control to different clients. Doing so would break their financial models which revolve around economies of scale.
The panel also discussed service level agreements (SLA) and contracts and while the vendors would not go into detailed contract terms, it was clear that the SLAs were focused around availability and not around other security objectives (confidentiality or integrity for example). If a vendor violated or didn’t live up to an SLA, the vendor would be happy to refund the appropriate amount of service (for example, the cost of one day’s service if the vendor were down for a day). In some cases you might even get a 110% guarantee. However, the penalty was not structured around the customer’s losses or inconvenience but simply around the service that was not provided. If you think about it from the vendor’s perspective, this makes perfect sense. The vendor is writing the SLA about things that it can control and it is limiting its exposure (risk) of an unexpected outage.
At the end of the panel, it was clear that while the vendors were willing to show their controls and allow you to audit them, there was a limit as to how much risk they were willing to accept. Enterprises may choose to use cloud services but they need to understand what they are buying (agility, reduced staffing, reduced internal hardware and software) and what they are not buying (risk management and risk transfer). Just because you have transferred an application or a platform to the cloud does not mean that you have also transferred the risk associated with that application or platform. In fact, it may mean that you have chosen to accept additional risk.
Comments